Monday 25 January 2016

A Year in Vendor Patching: Does an Increase in Patches Mean we are More or Less Secure? [Link - Infosecurity]

I'm very proud to have a blog piece published by Infosecurity.

http://www.infosecurity-magazine.com/blogs/a-year-in-vendor-patching/

===============

Vulnerabilities and subsequent vendor patches are part and parcel of a company’s use of different operating systems and product software. However, a significant increase in the number of vendor patches released in 2015, in comparison to 2014, alongside the number of high-profile breaches prompts the question: Why was 2015 such an insecure year for vendors and why did cyber-threats see a marked increase?

A recent report by PricewaterhouseCoopers suggests that incidents of cyber-attacks or breaches have risen by 38% from 2014. A study by HP Enterprise Security found that this growing phenomenon is costing UK firms an average of £4.1m a year.

In terms of patching, Apple lead the vendor list by experiencing 654 vulnerabilities, up an enormous 179% from 288 vulnerabilities in 2014. Microsoft was in second place with 571 vulnerabilities discovered, up from 376 vulnerabilities the year before.

Vendor Patches and the Inherent Risks

There are some basic recommendations when using a computer to access the internet such as; use anti-malware software, don’t use the same password for all your accounts and ensure the operating system and applications are regularly patched.

When it comes to vendor patches, the issue is that the user is only secure once the vulnerabilities are addressed. This leaves a window of exposure where everyone, including malicious hackers, is aware of the vulnerabilities, prior to the user applying the patches. The most appropriate recommendation is to ensure the application of patches as soon as possible, as well as using solutions that can shield the devices from vulnerabilities until the patch is applied.

A Reason for Concern

There were 273 patches from four vendors in just one week in December 2015. The four vendors included Apple, Adobe, Microsoft and Google. This means that organizations who operate devices which run on the software these vendors produce will have experienced a very busy week of implementing patches.

On one hand, companies should be comforted by the diligence of these vendors in picking up vulnerabilities and creating patches – however, a healthy fear and appreciation of the changing security landscape should also be evident for CISOs or CIOs.

The security industry has dealt with more targeted and sophisticated attacks in the past year, with attackers finding ways around existing security protection from vendors. A good example is the clever exploitation of the XGhost app development code, that allowed malware to be uploaded by unsuspecting app developers.

Are We More or Less Secure Than a Year Ago?

The security threat landscape has evolved considerably in the last 12 months. Not only have there been more DDoS and ransomware attacks, big software giants like Adobe and Facebook have both been under attack from bugs and malware that infect their software. These two breaches resulted in major data loss for both companies, in the form of contact and payment details, which attackers can use for brute force attacks or phishing scams.

The entire online community seems to be more at risk than a year ago. Cybersecurity has risen to the top of the agenda for the C-suite, who may have experienced or watched their peers deal with embarrassing leaks.

It may be the vast rewards that attackers can gain from data or the greater access to internet connected devices, but one thing is clear; attacks on software providers will only grow in frequency and sophistication throughout 2016, which will mirror the wider cyber-attacks on companies.

No comments:

Post a Comment